Ask an Expert



Error: Contact form not found.

CMMC Requirements: Levels 1-5 Explained

The Department of Defense (DoD) has over 300,000 companies in its defense industrial base that may have access to government-sensitive information. To safeguard federal contract information (FCI) and controlled unclassified information (CUI) on the contractors’ information systems and control the rise of cybercrime and its devastating effects, DoD has developed the Cybersecurity Maturity Model Certification (CMMC) framework.

Before CMMC, contractors were accountable for implementing and monitoring their own cybersecurity best practices. But now, the CMMC framework comes with a certification program and DoD will appoint its own certification body to audit and validate the implementation of the contractors’ cybersecurity infrastructure.

CMMC Requirements, Explained

The CMMC establishes five certification levels that contractors need to comply with to bid on future contracts. For an organization to achieve a specific CMMC level, it must also prove compliance with the preceding lower levels.

The CMMC levels’ focus is on the type and sensitivity of information and threats: level 1, safeguarding FCI; level 2, serves as a transition step in cybersecurity maturity progression to protect CUI; level 3, protecting CUI; and level 4-5, protecting CUI and reducing the risk of Advanced Persistent Threats (APTs).

For a more detailed explanation, below are DoD’s five CMMC levels with their corresponding processes and practices:

CMMC Level 1

Processes: Performed

Level 1 requires that an organization performs the specified practices. Since an organization may only be able to perform these practices in an ad-hoc manner and may not rely on documentation, process maturity is not assessed for Level 1.

Practices: Basic Cyber Hygiene

Level 1 focuses on the protection of FCI and consists only of practices that correspond to the basic safeguarding requirements specified in 48 CFR 52.204-21 (“Basic Safeguarding of Covered Contractor Information Systems”).

CMMC Level 2

Processes: Documented

Level 2 requires that an organization establish and document practices and policies to guide the implementation of their CMMC efforts. The documentation of practices enables individuals to perform them in a repeatable manner. Organizations develop mature capabilities by documenting their processes and then practicing them as documented.

Practices: Intermediate Cyber Hygiene

Level 2 serves as a progression from Level 1 to Level 3 and consists of a subset of the security requirements specified in NIST 800-171, as well as practices from other standards and references. Because this level represents a transitional stage, a subset of the practices references the protection of CUI.

CMMC Level 3

Processes: Managed

Level 3 requires that an organization establish, maintain, and resource a plan demonstrating the management of activities for practice implementation. The plan may include information on missions, goals, project plans, resourcing, required training, and involvement of relevant stakeholders.

Practices: Good Cyber Hygiene

Level 3 focuses on the protection of CUI and encompasses all of the security requirements specified in NIST SP 800-171, as well as additional practices from other standards and references to mitigate threats.

Note that DFARS clause 252.204-7012 (‘Safeguarding of Covered Defense Information and Cyber Incident Reporting”) specifies additional requirements beyond the NIST SP 800-171 security requirements such as incident reporting.

CMMC Level 4

Processes: Reviewed

Level 4 requires that an organization review and measure practices for effectiveness. In addition to measuring practices for effectiveness, organizations at this level are able to take corrective action when necessary and inform higher-level management of status or issues on a recurring basis.

Practices: Proactive

Level 4 focuses on the protection of CUI from APTs and encompasses a subset of the enhanced security requirements from Draft NIST SP 800-171B, as well as other cybersecurity best practices. These practices enhance the detection and response capabilities of an organization to address and adapt to the changing tactics, techniques, and procedures (TTPs) used by APTs.

CMMC Level 5

Processes: Optimizing

Level 5 requires an organization to standardize and optimize process implementation across the organization.

Practices: Advanced/Proactive

Level 5 focuses on the protection of CUI from APTs. The additional practices increase the depth and sophistication of cybersecurity capabilities.

It is important to note that the CMMC framework consists of 171 practices distributed across the five levels for all capabilities and domains. So if a contractor is to work on a level 5 contract, his company will need to comply with level 5 requirements plus all the requirements of levels 1-4 for a total of 171 practices. Contractors should begin taking immediate steps to learn the CMMC’s technical requirements and prepare their cybersecurity infrastructure and/or best practices to be at par with the CMMC framework. Failure to do so could bode problems with their ability to compete for work.

For contractors that are just starting to adapt to the CMMC standards, it may come across as an overwhelming task. Seeking help from a security expert can equip your organization to fully understand all the details.

Ensure Compliance with an Expert

Dynamic Systems has been helping federal agencies and their partners to accelerate transformation and ensure business continuity. As an organization that has previously worked with government contractors under the DoD, we are familiar with cybersecurity standards and are constantly upgrading our security solutions based on the latest cybersecurity and compliance trends.

Our team of security experts can help enhance your organization’s cyber hygiene practices and tailor solutions based on your CMMC requirement. Let’s connect today.

Lack of Management Support in Project Management

Insufficient Resources in Project Management

Hardware and Software: Why Both Need to be Secured in the Cloud

Legacy to Cloud: How to Get Started

Dynamic Systems Enabling Companies To Realize the Transformative Power of the Cloud

How to Navigate the Cloud Migration Process with Little to No Disruption

Cloud Technology: How to Find a Winning Strategy

The Evolution of Project Lifecycle Management

Ready for the Cloud? Move and Modernize Your Workloads with Dynamic Systems

What Does It Mean to Move to The Cloud

Legacy to Cloud: Who Is The Right Vendor?

CMMC: Where Does Your Company Fit In

How Defense Contractors Can Achieve CMMC Compliance

Why Choose Dynamic Systems for Your Move from Legacy to Cloud

Migrating Legacy Apps to the Cloud: Dynamic Systems for Business Continuity

Extending Life Cycle of Mission Critical Systems with Dynamic Systems

Multi-Factor Authentication

Agilists, Assemble!

Hardware and Software: Why Both Need to be Secured in the Cloud

5 Best Practices for Federal IT Modernization

A Road Map for Federal Agencies Adopting Cloud-based Applications

Ineffective Communication in Project Management

Finding the Best Platform for Each Job at Your Modern Federal Agency

Simplifying Edge Infrastructure Security And Management

Myths Impacting IT Modernization In Federal Government

Enabling “Edge to Cloud” in Modern Federal IT

SPARC Server Migration: Here’s All You Need To Know

Best Practices in Moving, Storing, and Processing Data – From Edge to Cloud

Specialized Data Center: Design and Manage Government Data Centers with Security in Mind

Project Management Challenges in Government

Cloud Readiness Assessment:
Are You Thinking About Moving to the Cloud?
Are You Ready to Move to the Cloud?

Cloud Computing: The Future of Government IT Innovation